Cheriton School of Computer Science Professor Stacey Watson, and their colleagues Manisha Kamarushi, Garreth Tigwell, and Roshan Peiris at Rochester Institute of Technology, have received a best paper award at MobileHCI 2022. Held annually, the ACM International Conference on Mobile Human-Computer Interaction will take place virtually and in person in Vancouver this year from September 28 to October 1.
Their paper, “OneButtonPIN: A single button authentication method for blind or low vision users to improve accessibility and prevent eavesdropping,” describes the development and evaluation of a secure authentication method that allows blind and low-vision users to enter a personal identification number on a smartphone securely while preventing potential adversaries from seeing or hearing the code entered on the device.
About this award-winning research
Authentication mechanisms let users verify their identity on a device and help ensure that the sensitive data it contains remains secure. Authentication can take many forms, from entering a personal identification number (PIN) to tracing a graphical pattern on the device’s screen to using fingerprint or facial recognition to securely log into a device. To further improve security, some devices are configured to require two-factor authentication to log in, where a user, for example, first enters a passcode on the device’s screen then uses biometric authentication — facial or fingerprint identification — that are unique to the user.
“Although authentication mechanisms have improved, they still present challenges for blind and low-vision users,” said Professor Stacey Watson, a lecturer at the Cheriton School of Computer Science.
“Facial or fingerprint identification are convenient and accessible ways to log into a device, but if compromised by sophisticated attacks they can be difficult to reset. On the other hand, a passcode can be reset easily by a user, but this authentication method is less secure especially for blind and low-vision users who rely on a screen reader to assist them when entering a code or when an attacker is peering over a user’s shoulder when the person is entering their passcode.”
Despite its limitations, a PIN code is a widely used authentication method and often used as back up when biometric authentication methods fail. If a person’s thumb is wet or a face mask prevents the device’s biometric recognition system from working, the fallback to logging in is entering a PIN.
“The goal of our research was to maximize the accessibility of PIN codes, while addressing the issue of shoulder-surfing attacks — situations where a nearby attacker watches a user enter a code on the device’s screen — so people who are blind or have low vision have a secure way to log into their mobile devices without needing to rely on biometric methods,” Professor Watson said.
The research team developed and evaluated a new authentication method they call OneButtonPIN, an interface on a mobile device to improve the accessibility and security of entering a PIN, specifically with blind or low-vision users in mind.
“OneButtonPIN uses a large on-screen button that when pressed and held triggers a sequence of vibrations,” Professor Watson explains. “The user counts the vibrations to enter each digit of the PIN code. To further increase security, we also experimented with random timings to the vibration sequence. Since a user isn’t required to move their finger on the screen and no numbers are read aloud by a screen reader, our new authentication method improves accessibility while maintaining security.”
To evaluate the usability and accessibility of OneButtonPIN, the research team conducted a week-long diary study with nine participants.
“Overall, the authentication method we developed shows much promise,” Professor Watson said. “Using OneButtonPIN, participants entered PIN codes more quickly and with higher accuracy than with traditional PIN code entry interfaces.”
The team also evaluated the security of OneButtonPIN with nine blind and low-vision users to determine its resilience to shoulder surfing.
“In the security study, the main task required participants to guess the PIN code that was entered when using OneButtonPIN,” Professor Watson explained. “While traditional PIN entry methods often can be attacked successfully, the results of our security study showed that OneButtonPIN is exceptionally resilient to shoulder surfing attacks.”
Although designed with blind and low vision users in mind, the new authentication method could be useful to sighted people as well, said Professor Watson. “As OneButtonPIN is more resilient to shoulder surfing attacks than traditional PIN-based authentication, it could be used on-demand by sighted users in situations where they feel they are being observed.”
To learn more about the research on which this article is based, please see Manisha Kamarushi, Stacey L. Watson, Garreth W. Tigwell, and Roshan L. Peiris. OneButtonPIN: A Single Button Authentication Method for Blind and Low Vision Users to Improve Accessibility and Prevent Eavesdropping. Proceedings of the ACM Human Computer Interaction, 6, MHCI, Article 212 (September 2022).